Ransomware Experiments

Ransomware Experiments on Developing Countries

Chris Swagler | May 15th, 2024


A startling revelation has been made by a cybersecurity company that cyber threat operators are using developing countries as testing grounds for their latest ransomware experiments. These cybercriminals are experimenting with their malicious programs in Africa, Asia, and South America before aiming at wealthier nations with more robust security measures. The strategy is both cunning and cruel. It allows the threat operators to infiltrate the less secure systems in the developing world, testing their malevolent wares, and then moving on to higher-value targets, primarily in North America and Europe. This practice has been underscored in a report published by a cybersecurity company which has tracked the evolving tactics of cybercriminals. The report highlights a series of recent ransomware assaults on various organizations in developing countries, including a bank in Senegal, a financial services firm in Chile, a tax firm in Colombia, and a governmental economic agency in Argentina.

These attacks are essentially dry runs, allowing the cybercriminals to hone their methods before moving on to wealthier targets. This alarming trend is occurring against the backdrop of a rapidly digitizing world. Cyberattacks have nearly doubled since the onset of the COVID-19 pandemic, with the rate of increase even higher in developing nations due to rapid digitization coupled with less sufficient protection measures. The International Monetary Fund (IMF) has noted that losses from cyber incidents have skyrocketed to around $28bn since 2020, with billions of records stolen or compromised. One of the reasons this strategy is so effective is the relative lack of cybersecurity awareness in these developing countries. One Chief Technology Officer at a cybersecurity group explains that new weaponized packages can be trialed in countries like Senegal or Brazil, where the banking systems might be like those in more developed countries.

The report also spotlighted the activities of Medusa, a cyber gang known for its devastating ransomware attacks that “turn files into stone” by encrypting companies’ data. Medusa initiated its campaign in 2023 by attacking businesses in South Africa, Senegal, and Tonga before moving on to more developed countries like the US, UK, Canada, Italy, and France. The typical user might not be aware of an attack until they are locked out of their computer system. A file, with the subject line !!!READ_ME_MEDUSA!!!.txt., would then instruct the user to initiate a ransom negotiation on the dark web. Refusal to comply often results in the publication of the stolen data. To counter these threats, cybersecurity companies are setting up “honeypots” or decoy servers in these developing countries to lure cybercriminals and capture their methods. This proactive approach allows them to detect and analyze new vulnerabilities and attack techniques, providing valuable intelligence that can help protect more substantial targets.

However, not all cybercriminals are methodical in their approach. The Director of Threat Intelligence Strategy at Microsoft, suggests that some cyber gangs are simply opportunistic, taking advantage of the cheap ransomware available to stage their small-scale attacks. This opportunistic approach is exemplified by smaller-scale threat operators who purchase ransomware from sophisticated groups like Medusa without understanding the technology. They then deploy these tools against easier targets, often in their own countries.

The rapid digital adoption of ransomware experiments in developing countries is outpacing the development of robust cybersecurity measures. This widening gap in defenses is a cause for concern, as it provides a fertile ground for cybercriminals to exploit. As the world becomes increasingly interconnected, the need for robust cybersecurity measures in developing countries is more critical than ever. At SpearTip, our Incident Response Planning (IRP) provides a comprehensive evaluation of a client’s current IRP. If not currently in place, the Advisory Services team will draft and provide a plan that is unique to the client’s needs and operations. The penetration testing leverages an Adversary Emulation methodology to identify and measure risks associated with the exploitation of the client’s attack surface. This emulation identifies attack paths by exploiting identified vulnerabilities and simulating real-world cyberattacks. Our ransomware threat assessments combine policy evaluation and technical testing. The team assesses vulnerabilities within your environment that could lead to ransomware attacks. You will receive actionable advice to adopt practices to mitigate and prevent these types of events. We provide a review of policies and procedures, detection and protection capabilities, response protocols, and other relevant areas as observed, in addition to the findings from SpearTip’s agent-based deployment within your environment. You will receive actionable advice to adopt practices that mitigate these types of events.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Security Awareness Training
Security Awareness Training Crucial Role
22 May 2024
Phishing Campaign Assessments
Phishing Campaign Assessments Can Be Effective For Companies
20 May 2024
Incident Response Planning
Incident Response Planning: Why It's Important
17 May 2024
Ransomware Experiments
Ransomware Experiments on Developing Countries
15 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.